Account Management: Guidelines and best practices

Accounts management practices can have a monumental impact on network security. A well-chosen password is one defense against identity theft.

By employing the following guidelines and best practices, the potential for security breaches will be minimized.

These guidelines and best practices are intended to inform and assist System Administrators who deal with servers or services connected to the University of Ottawa network.

Password Characteristics

Minimum password length

The length of passwords must always be automatically checked at the time that users construct or select them. All passwords must be at least ten characters in length.

Difficult-to-guess passwords required

All user-chosen passwords for computers and networks must be difficult to guess. Words found in a dictionary, derivatives of user-IDs, common character sequences such as “123456”, personal details such as spouse’s and pet’s names, license plate numbers, social insurance numbers, and birthdates must not be employed.

User-chosen passwords must not be reused

Users should not construct passwords, which are identical or substantially similar to passwords that they have previously employed. Reuse of passwords increases the chance that a password will be divulged to unauthorized parties.

Passwords should contain a mix of characters

All user-chosen passwords should contain characters from three of the following four groups:

Lower case alphabet

Upper case alphabet

Numbers (0-9)

Punctuation

The use of control characters and other non-printing characters is discouraged because they may inadvertently cause network transmission problems or unintentionally invoke certain system utilities.

Password Management

Storage of system-generated passwords

If passwords or Personal Identification Numbers (PINs) are generated by a computer system, they must always be issued immediately after they are generated. Regardless of the form they take, passwords and PINs that are generated but not issued must never be stored on the involved computer systems.

Protection of password generation algorithms

If passwords or PINs are generated by a computer system, all software and files containing formulas, algorithms, and other specifics of the process must be controlled with the most stringent security measures supported by the involved computer systems.

Previous password history file

On all multi-user machines, system software or locally developed software must be used to maintain an encrypted history of previous fixed passwords. This history file must be employed to prevent users from reusing old passwords. The history file should minimally retain the last thirteen (13) passwords for each user-ID.

Displaying and printing of passwords

Displaying and printing of passwords must be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them.

Periodic forced password changes

All users should be automatically forced to change their passwords periodically; preferably every thirty (30) days for access to sensitive data and every ninety (90) days for access to other data.

Password change interval synchronization across platforms

The fixed password change interval could be synchronized across all computer and network platforms at the University of Ottawa for global sign-on if necessary.

Assignment of expired passwords

The initial passwords issued by the account management administrator should be valid only for the involved user’s first on-line session. At that time, the user must be forced to choose another password before any other work can be done.

Limits on consecutive, unsuccessful attempts to enter a password

To prevent password guessing attacks, the number of consecutive attempts to enter an incorrect password must be strictly limited. For example, after ten (10) unsuccessful attempts to enter a password, the involved user-ID should be either:

suspended until reset by a system administrator, or

temporarily disabled for no less than three minutes

Single/Global sign-on process

Users must be asked for only one user-ID and password combination at the time they reach the network and/or destination computer system. User identity related information should then be passed (transparent to the user) to other computers, database management systems, services and applications.

All workstations must have password-based boot protection

All workstations used for the University of Ottawa business activity, no matter where they are located, should use an access control system approved by Information Technology. In most cases this will involve screen-savers with fixed, password-based boot protection along with a 'time out after no activity' feature.

Passwords never in readable form outside workstations

Fixed passwords must never be in readable form outside a personal computer or workstation.

Protection of passwords sent through the mail

If sent by regular mail or similar physical distribution systems, passwords must be sent separately from user-IDs. These mailings must have no markings indicating the nature of the enclosure. Passwords must also be concealed inside an opaque envelope that will readily reveal tampering.

Storage of passwords in readable form

Passwords must not be stored in readable form in batch files, automatic login scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorized persons might discover or use them.

Encryption of passwords

Passwords must always be encrypted when held in storage for any significant period of time or when transmitted over networks. This will prevent them from being disclosed to wire-tappers, technical staff that are reading system logs, and other unauthorized parties.

Changing vendor default passwords

All vendor-supplied default passwords must be changed before any computer or communications system is used at the University of Ottawa.

User Responsibilities

Requirement for different passwords on different systems

To prevent compromising multiple systems, computer users must employ different passwords on each of the systems to which they have been granted access unless the Global Sign-on procedure is in place.

Suspected disclosure forces password changes

All passwords must be promptly changed if it is suspected or known that they have been disclosed to unauthorized parties.

Forced change of all passwords

Whenever a system has been compromised by an unauthorized party, system managers must immediately change every password on the system involved. Even suspicion of a compromise requires that all passwords be changed immediately. Under either of these circumstances, a trusted version of the operating system and all security-related software must also be reloaded. Similarly, under either of these circumstances, all recent changes to user and system privileges must be reviewed for unauthorized modifications.

In-person proof of identity to obtain a password

Passwords must never be disclosed via voice telephone lines unless the requested identification can be confirmed by a pre-determined method. Otherwise, a user must show up in person and present suitable identification.

Login Process

Unique user-ID and password required

Every user must have a single unique user-id and a personal secret password. This user-ID and password will be required for access to University of Ottawa multi-user computers and computer networks.

Security notice in system login banner

Every login process for multi-user computers must include a special notice. This notice must state: (1) the system is to be used only by authorized users, and (2) by continuing to use the system, the user represents that he/she is an authorized user.

Notice of last login time and date

At login time, every user should be given information reflecting their previous login’s time and date. This will allow unauthorized system usage to be easily detected.

Prohibition of multiple simultaneous on-line sessions

Unless in a UNIX environment or special permission has been granted by the system manager, computer systems must not allow any user to conduct multiple, simultaneous on-line sessions

Automatic log-off process

If there is no activity on a computer terminal, workstation, or PC for twenty minutes, the system should automatically blank the screen and suspend the session. Re-establishment of the session must take place only after the user has provided the proper password.

Privilege Control

Granting user-IDs to outsiders

Individuals who are not employees, students, researchers, contractors, or consultants must not be granted a user-ID or otherwise be given privileges to use University of Ottawa computers or communications systems unless the written approval of a service director, dean or delegate has first been obtained.

Third party access to University of Ottawa requires signed contract

Before any third party is given access to University of Ottawa systems, a contract defining the terms and conditions of such access must have been signed by a responsible manager at the third party organization. Both the Security Architect and the Legal Counsel must also approve these terms and conditions.

Information systems access privileges terminate when employees leave

All University of Ottawa information systems privileges must be promptly terminated at the time that an employee ceases to provide services to the University of Ottawa, unless such services are extended to a specific community or special permission is obtained from the Director or the Dean.

Disclaimer of responsibility for damage to data and programs

The University of Ottawa uses access control and other security measures to protect the confidentiality, integrity, and availability of the information handled by computers and communications systems. In keeping with these objectives, management maintains the authority to:

restrict or revoke any user’s privileges,

inspect, copy, remove, or otherwise alter any data, program, or other system resource that may undermine these objectives,

take any other steps deemed necessary to manage and protect its information systems.

This authority may be exercised with or without notice to the involved users. The University of Ottawa disclaims any responsibility for loss or damage to data or software that results from its efforts to meet these security objectives.

Restricted remote administration of Internet-connected computers

Remote administration of Internet-connected computers is not allowed unless one-time passwords are employed over encrypted links whenever the computers are in the restricted secure zones or contain sensitive data.

Dormant user-IDs and automatic privilege revocation

All user-IDs must automatically have the associated privileges revoked after a two (2) year period of inactivity. If an authorized user goes on vacation or leave-without-pay for an extended period, this policy will result in their user-ID being revoked unless permission is granted by the involved user’s department or service.

Periodic review and reauthorization of user access privileges

The system privileges, granted to every user, must be re-evaluated by the user’s immediate manager every twelve months. This re-evaluation involves a determination of whether currently enabled system privileges are still needed to perform the user’s current job duties.

Administrative security management for all networked computers

Configurations and setup parameters on all hosts attached to the University of Ottawa must comply with in-house security management policies and standards.

Schedule for deletion of files following worker termination

Unless otherwise requested, all files held in a user’s directories should be archived and then purged four weeks after the employee has permanently left University of Ottawa.